SGX attestation is unnecessarily complex

[DemiMarie]

I’m not sure if this is a constructive issue, but it seems that the attestation process is overly complex. In particular, the PCE attests a QE, which then attests the third-party enclave. It would be much simpler for the PCE to attest the third-party enclave directly. This would also avoid quote verification having to check that the quoting enclave identity is correct.

I imagine it is too late to change this, but I am curious what the reason behind this design decision was. The only documentation I can find is that the public part of the PCK might be considered confidential, but that only applies to legacy EPID-based attestation (which is approaching EOL).

[mohsinriaz17]

The whole system is overcomplicated
I have applications running in TEE and i am able to provide the Quote publicly to my users, which was totally useless as there is nothing provided by intel where the non-super dev users can send the quote and get something useful, so i deployed the QVS,
now they can get the report, however, there was no way that the users can see if its coming from intel or i am just faking the report, so i added collateral datas also

now i ask some one from intel to tell my users how easy it is to "validate chain of certs" so they can trust my application, because i for one cannot figure it out.